[caption id="attachment_19335" align="alignright" width="200"] Matthew Todd, principal consultant, Full Scope Consulting LLC[/caption]
Unlike most any other role, a CISO’s job is to identify and mitigate risks to the systems and data on which the enterprise relies.
While other teams are innovating, closing new deals or keeping the lights on, the CISO needs to have the tools, processes and partnerships (both inside and outside the firm) to quickly identify emerging or changing risks, prioritize them and mitigate them. There’s no way to pay attention to all risks, so prioritization and triage becomes key.
On any given day, then, perhaps the top five percent of risks merit attention. This number will vary wildly depending on the circumstances, the industry, the age of the company, the regulatory environment, and the risk tolerance of the board and the executive suite.
The problem is this:
The total number of emerging risks is growing exponentially by the day. Years ago, five percent was reasonable. Today, five percent seems like a ridiculous dream.
Business Has Changed
Twenty years ago, I cut my CISO teeth in a waterfall world. The pace and timing of product releases were predictable. There was plenty of time to think about and plan for risk. The cost of new technology was high and naturally moderated the pace of innovation and growth. It gave me time to think about other risks to our environment, like regulatory demands and customer expectations, even with a small security team. I had the luxury of writing whitepapers for customers about our security and memos to our chief counsel about how we would fare should the regulators come calling.
Back in those waterfall days, if I found out someone had set up a new server without a detailed security review and express permission, it could be grounds for termination. Today, that’s a laughably antiquated concept. If I stood in the way of a developer creating an entire development environment, I might be the one heading for the door.
The Threat Landscape Also Changed
The pace of product innovation is furious, aided by development tools, agile processes, virtual environments and cloud services. This is made even more urgent by competitors innovating at a similar pace.
There’s no time to stop and think about risk in a product release cycle (except in a strategic way). New environments, locations and uses for data, and third-party tools and libraries create an exponentially expanding risk environment within the enterprise. At the same time, other teams like marketing, accounting and legal all need to innovate and accelerate to keep the business on track.
Meanwhile, the threat landscape changed dramatically.
Gone are the days of a handful of script kiddies and very few sophisticated hackers. Back then, large-scale attacks were few and far between, and generally hit those who were simply not prepared for any kind of attack. There were exceptions, when everyone scrambled to patch a spectacular MS-SQL or Exchange vulnerability, but at least everyone was in the same boat. Customers understood that a company had to take a few days to focus on patching (because they were doing it, too).
Today, sophisticated hacks are commoditized. Anyone can pay a few dollars in cryptocurrency and acquire a tool, complete with customer support, that only a month ago was the best-kept secret of a three-letter agency. There are organizations that will pay $2 million for a zero-day exploit so they can sell it to others who will weaponize it, rather than having it revealed to the entity that can fix it.
What’s Our Next Move?
For every problem, there’s a product that solves it. At least, that’s what we hear every year at RSA.
The expo floor teems with vendors offering solutions for security problems you didn’t realize you had, with such ease of use that you’ll never sleep fitfully again. Most security tools start out as a point solution, designed to solve one problem. Over time, these point tools often proliferate and then consolidate (typically by acquisition). At this point, we are offered a tool that solves a whole range of problems.
I am skeptical of any product vendor that says it can solve all my security problems right now, no matter what technologies they've recently acquired. Integration of those things is hard. Ask any CISO who's been forced to purchase a crate-load of tools and tried to tie them together.
Don't get me wrong; I think there are good tools that can help with certain small classes of problems. I also think that what these vendors are trying to do is absolutely necessary.
To keep pace with the exponential growth in both innovation and threats, we need solutions that tackle classes of risk—not individual risks.
Solving classes of risk reduces the likelihood that a new risk will emerge within that class, allowing the CISO to focus attention elsewhere.
For example, if there was a way to broadly address the class of risks associated with product development (inclusive of tools, environments, data, etc.), then the relative risk of all activities within the product development team would be reduced below the threshold of “risks we must worry about today.”
It’s not about mitigating the risk of a network connection, a piece of software or a virtual server. It’s about mitigating the risks associated with an entire business process, or all the processes of a given business unit, without slowing the business down.
Every team wants the tools to let them innovate quickly, without asking for permission or waiting for someone else to install something. No CISO wants to stand in the way of that. CISOs need the tools to be a true partner to the business—and an enabler of innovation.